AWS IoT
Developer Guide

Certificate Policy Examples

registered devices (12)unregistered devices (12)
registered devices (12)

For devices registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with a client id that matches a thing name, and to publish to a topic whose name is equal to the certificateId of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }
unregistered devices (12)

For devices not registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with client ids "client1", "client2", and "client3" and to publish to a topic whose name is equal to the certificateId of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:CertificateId}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }
registered devices (13)unregistered devices (13)
registered devices (13)

For devices registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with a client id that matches a thing name, and to publish to a topic whose name is equal to the subject's common name field of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] } ] }

Note

In this example, the certificate's subject common name is used as the topic identifier, with the assumption that the subject common name is unique for each registered certificate. If the certificates are shared across multiple devices, the subject common name will be the same for all the devices sharing this certificate, thereby allowing publish privileges to the same topic from multiple devices (not recommended).

unregistered devices (13)

For devices not registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with client ids "client1", "client2", and "client3" and to publish to a topic whose name is equal to the subject's common name field of the certificate the device used to authenticate itself:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/${iot:Certificate.Subject.CommonName}"] }, { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] } ] }

Note

In this example, the certificate's subject common name is used as the topic identifier, with the assumption that the subject common name is unique for each registered certificate. If the certificates are shared across multiple devices, the subject common name will be the same for all the devices sharing this certificate, thereby allowing publish privileges to the same topic from multiple devices (not recommended).

registered devices (14)unregistered devices (14)
registered devices (14)

For devices registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with a client id that matches a thing name, and to publish to a topic whose name is prefixed with "admin/" when the certificate used to authenticate the device has its Subject.CommonName.2 field set to "Administrator":

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
unregistered devices (14)

For devices not registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with client ids "client1", "client2", and "client3" and to publish to a topic whose name is prefixed with "admin/" when the certificate used to authenticate the device has its Subject.CommonName.2 field set to "Administrator":

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/*"], "Condition": { "StringEquals": { "iot:Certificate.Subject.CommonName.2": "Administrator" } } } ] }
registered devices (15)unregistered devices (15)
registered devices (15)

For devices registered in AWS IoT Registry, the following policy allows a device to use a thing name registered with AWS IoT to publish on a specific topic consisting of "admin/" followed by the ThingName when the certificate used to authenticate the device has any one of its Subject.CommonName fields set to "Administrator":

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin/${iot:Connection.Thing.ThingName}"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }
unregistered devices (15)

For devices not registered in AWS IoT Registry, the following policy grants permission to connect to AWS IoT with client ids "client1", "client2", and "client3" and to publish to the topic "admin" when the certificate used to authenticate the device has any one of its Subject.CommonName fields set to "Administrator":

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:us-east-1:123456789012:client/client1", "arn:aws:iot:us-east-1:123456789012:client/client2", "arn:aws:iot:us-east-1:123456789012:client/client3" ] }, { "Effect": "Allow", "Action": [ "iot:Publish" ], "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/admin"], "Condition": { "ForAnyValue:StringEquals": { "iot:Certificate.Subject.CommonName.List": "Administrator" } } } ] }